lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8bd0f97a0706061758v492eb44y55bb3d6037acf668@mail.gmail.com>
Date:	Wed, 6 Jun 2007 20:58:59 -0400
From:	"Mike Frysinger" <vapier.adi@...il.com>
To:	"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>
Cc:	dsd@...too.org
Subject: incorrect tracking of /proc/*/exe for overwritten running processes

looking at a simple program:
int main()
{
  if (fork()) return 0;
  printf("pid = %i\n", getpid());
  while (1) sleep(3600);
}

and where my / and /var/tmp are on the same partition:

# gcc test.c -o /usr/sbin/MOO
# /usr/sbin/MOO
pid = 17144
# readlink /proc/17144/exe
/usr/sbin/MOO

# gcc test.c -o /var/tmp/MOO
# mv /var/tmp/MOO /usr/sbin/MOO
# readlink /proc/17144/exe
/var/tmp/MOO (deleted)

i feel like the new exe link should actually read:
/usr/sbin/MOO (deleted)
otherwise people can easily get confused as they think their daemon
was started in /var/tmp/ and their machine was compromised

# uname -a
Linux vapier 2.6.21.3 #4 SMP PREEMPT Sat Jun 2 09:55:10 EDT 2007
x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ AuthenticAMD
GNU/Linux
-mike
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ